CVE-2026-21488

Medium

Published: 06 January 2026

Published

06 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21488 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability is triggered by processing a malicious ICC profile file, directly mapping to user execution of a malicious file for local exploitation leading to DoS/info leak.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in…

version 2.3.1.2.

Deeper analysisAI

CVE-2026-21488 is a vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are affected by out-of-bounds read (CWE-125), heap-based buffer overflow (CWE-122), and improper null termination (CWE-170) issues in the CIccTagText::Read function. The vulnerability was published on 2026-01-06 and has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H).

An attacker with local access can exploit this vulnerability with low complexity and no privileges required, but it necessitates user interaction, such as tricking a user into processing a malicious ICC profile. Successful exploitation could lead to a heap-based buffer overflow causing high availability impact, such as application crashes or denial of service, alongside limited confidentiality impact from the out-of-bounds read.

The issue is addressed in iccDEV version 2.3.1.2. Mitigation involves updating to this patched version, as detailed in the GitHub security advisory (GHSA-4j2g-rvv4-86vg) and the fixing commit (9daaccceb231c43db8cab312ee5bbe9d2aa6b153).

Details

CWE(s): CWE-122 CWE-125 CWE-170

Affected Products

color

iccdev

≤ 2.3.1.2

CVEs Like This One

CVE-2026-24852Same product: Color Iccdev

CVE-2026-21494Same product: Color Iccdev

CVE-2026-21490Same product: Color Iccdev

CVE-2026-21489Same product: Color Iccdev

CVE-2026-21504Same product: Color Iccdev

CVE-2026-25583Same product: Color Iccdev

CVE-2026-21491Same product: Color Iccdev

CVE-2026-21679Same product: Color Iccdev

CVE-2026-27692Same product: Color Iccdev

CVE-2026-22255Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg
Vendor Advisory · security-advisories@github.com